Sandfly 5.5.4 - Chinese Rootkit Decloaking

Sandfly 5.5.4 can further decloak the recently released suspected Chinese stealth rootkit on Linux. Additionally, we have expanded legacy device support and fixed bugs affecting drift detection.


Decloaking Chinese Kernel Module Rootkit

The recent release of a suspected Chinese Linux stealth rootkit (detailed in our blog post here) gave rise to some additional detection opportunities in this 5.5.4 release. In particular, while we had no trouble finding this rootkit on prior versions, we've now added the ability to complete decloak the module being hidden on affected hosts.


The new detection module is named kernel_module_vmalloc_artifact and will find kernel modules from this rootkit and variants (such as Reptile), that have hidden themselves. If we see a module hidden with these methods we will alert and tell you the module name hiding so security teams can investigate. Below we see the Chinese rootkit using the default name vmwfxs on an host.



This new detection combines with other detections we already deployed making this rootkit very obvious if it's operating on a host. Below are the alerts we generate from the active rootkit in idle mode waiting for backdoor activation.



Expanded Legacy Device Coverage

Sandfly has the widest and most complete coverage of Linux in the industry. We are further expanding our coverage to more embedded devices with this release, including some that are well over a decade old. With Sandfly 5.5.4 we now support legacy and modern devices running Dropbear SSH and even more ARM processors than before.


Drift Detection Bug Fix

We fixed a bug in drift detection profiles where alerts could be added to a known-good profile by accident. This bug would happen if users had valid alerts, but selected non-alerts to add to a profile. In this case, valid alerts may be added to the known-good profile resulting in them also being ignored. This is a corner case situation that would not likely affect most customers, but if you think you were affected it may require re-building drift profiles to resolve. Please reach out to customer support with any questions if you think you are in this small potential group of users.


False Positives on New Linux Distros

New Linux distributions such as Debian 13 are moving away from legacy log files for login auditing such as wtmp and utmp. We have corrected false alarms happening when we see these files missing as they won't be on Linux systems going forward.


UI Bug Fixes

We have made small changes to the UI to fix other bugs and improve operation.


Upgrading Sandfly

Sandfly 5.5.4 has important detection updates and bug fixes and we recommend customers upgrade at their convenience.


Please be sure to see our documentation on the new features and capabilities:


Sandfly Documentation


Customers wishing to upgrade can follow the instructions here:


Upgrading Sandfly


If you have any questions, please reach out to us or get your own version of Sandfly to try out today.


Thank you for using Sandfly.